Cyber attacks Target Healthcare Orgs on Coronavirus Front-lines

6th May 2020

Cyber-criminals aren’t sparing medical professionals, hospitals and healthcare orgs on the front-lines of the coronavirus pandemic when it comes to cyber-attacks, ransomware attacks and malware.

Recent malware campaigns reveal that cyber-criminals aren’t sparing healthcare firms, medical suppliers and hospitals on the front-lines of the coronavirus pandemic.

Researchers have shed light on two recently uncovered malware campaigns: one targeting a Canadian government healthcare organisation and a Canadian medical research university, and the other hitting medical organisations and medical research facilities worldwide.

The emails sent to these unnamed organisations purported to send COVID-19 medical supply data, critical corporate communications regarding the virus or coronavirus details from the World Health Organisation (WHO) – but actually aimed to distribute ransomware, infostealer malware and more.

These recent campaigns are the tip of the iceberg when it comes to cyber-crime targeting organisations in the healthcare space, researchers said. “Despite prior reporting by various sources indicating that some cyber-threat attacker activity may subside in some respects during the COVID-19 pandemic, Unit 42 has observed quite the opposite with regard to COVID-19 themed threats, particularly in the realm of phishing attacks,” said Adrian McCabe, Vicky Ray and Juan Cortes, security researchers with Palo Alto Networks’ Unit 42 team, in a Tuesday post.

Ransomware Attacks

Between March 24 – 30, researchers observed various malicious emails attempting to spread ransomware to several individuals associated with an unnamed Canadian government health organisation actively engaged in COVID-19 response efforts, as well as a Canadian university that is conducting COVID-19 research.

The emails, sent from a spoofed WHO email address (noreply@who[.]int), contained a rich text format (RTF) file that purported to spread information about the pandemic. When opened, the RTF file attempted to deliver a ransomware payload that exploits a known vulnerability (CVE-2012-0158) in Microsoft Office, which allows attackers to execute arbitrary code.

When opened, the malicious attachment drops a ransomware binary to the victim’s disk and then executes it. To avoid detection, the dropped binary has a hidden attribute set, which is used when some content is obsolete and no longer necessary, to completely hide details from the user. The binary also uses an Adobe Acrobat icon to further cloak its true purpose.

After further analysis of the code structure of the binary and the host-based and network-based behaviours, researchers determined that the malware is an open-source ransomware variant called EDA2, which is associated with a larger, parent ransomware family called HiddenTear.

After execution, the victim receives a ransomware infection notification display on their desktop, which states: “If you want to unlock your files you must sent .35 BTC [Bitcoin] to this address,” and then gives an address for where to send the ransom payment. The ransomware binary then encrypts various files extensions, including “.DOC”, “.ZIP”, “.PPT” and more. Of note, “this ransomware binary has a particularly substantial limitation; it is hard-coded to only encrypt files and directories that are on the victim’s desktop,” said researchers.

Researchers said the ransomware samples in this campaign weren’t successful in reaching their intended victims. Other targets haven’t been so lucky, however. Despite ransomware gangs recently pledging that they would stop attacking hospitals in the midst of the pandemic, cyber-attacks continue. Several hospitals have been targeted by the Ryuk ransomware, according to security researcher “PeterM” on Twitter.

Hammersmith Medicines Research, a London-based healthcare provider that was working with the British government to test COVID-19 vaccines, was also recently hit by a ransomware attack. The Maze ransomware operators, which launched the attack, later posted the stolen data online.

Malware Attacks

Unit 42 researchers also spotted a separate campaign targeting various organisations, including medical organisations and medical research facilities located in Japan and Canada, with the AgentTesla malware.

Other firms targeted by this malware include a United States defence research entity, a Turkish government agency managing public works, a German industrial manufacturing firm, a Korean chemical manufacturer, and medical organisations/research facilities located in Japan and Canada (all unnamed).

The malspam emails used the coronavirus as a lure, with a malicious attachment pretending to be a “COVID-19 Supplier Notice” or a “Corporate advisory” for coronavirus.

The email address sending the malspam emails, “Shipping@liquidroam[.]com,” uses a legitimate business domain for LiquidRoam, which provides sales of electric skateboards. This led researchers to conclude that the domain has been compromised and that the infrastructure is being used by cyber-criminals.

The attachments for the emails were actually droppers delivering variants of the AgentTesla malware family. AgentTesla, an info-stealing malware which has been around since 2014, is sold in multiple forums commonly visited by cyber-criminals, and is one of the top malware families of choice of the SilverTerrier threat actor, known for business email compromise (BEC) campaigns.

“All the associated samples connected to the same C2 domain for ex-filtration: ‘ftp[.]lookmegarment[.]com,’” researchers said. “Our analysis also shows that the AgentTesla samples had hard-coded credentials used to communicate with the C2 over FTP.”

Attackers continue to leverage coronavirus-themed cyber-attacks as panic around the global pandemic continues – including malware attacks, booby-trapped URLs and credential-stuffing scams.

“It is clear from these cases that the threat actors who profit from cyber crime will go to any extent, including targeting organisations that are on the front lines and responding to the pandemic on a daily basis,” said Unit 42 researchers.